This is part one of a series of posts I’ll be making regarding password security. Keep an eye out for part 2 which will look into different types of password attacks.
The use of passwords to secure computer systems has been a consistent practice in computer security. Despite numerous, well-known security problems, users are required to create and remember more passwords today than ever before. Many alternatives and updates to the standard “username and password” paradigm have been suggested, but these rarely become common-place. Why is it that passwords are still the most common means of user security when so much of computer technology has evolved considerably since they were first introduced?
Before this complex question can be answered, it is helpful to understand some of the security issues that affect password-based authentication schemes. Since password authentication exists in almost all software and web systems, users are expected to create new passwords for each system they use. Every new website, mobile application, or software system that a user intends to use requires them to input a password. Since they must be remembered, users will often choose things that easily come to mind such as personal information including cities, sports teams, or the names of friends, family, and pets. The users may also use the same password in multiple systems. When one of the systems is compromised, that password can then be used to access other systems the user may have signed up to. If the user has difficulty in remembering the passwords, they may also write them down or store them in places that an attacker may gain access to. Finally, as passwords are generally an unchanging, static way of authentication, attackers who have stolen a user’s password through social engineering (e.g. a phishing attack) have permanent, unlimited access to that user’s system until the password is changed.
Based on this understanding, academic researchers and industry security organizations have been looking at ways to improve or replace the standard model of password authentication. One area that has gained considerable though not completely wide-spread use is the notion of two-factor or multi-factor authentication. These systems tend to use traditional username and password schemes with additional pieces of information required for authentication. These added factors are either something the user knows, such as the answer to a security question, or something that the user possesses. This could be a hardware-based One Time Password (OTP), a mobile authentication code, or a smart card. An attacker would then need the user’s password and the additional code or hardware in order to break into their account. Since multi-factor authentication systems can require additional hardware and infrastructure to support or may require expensive redevelopment, they are difficult for smaller companies to implement. Another scheme that has been widely researched is the use of biometric authentication. This is where the system authenticates the user according to a physical attribute. This unique attribute could be identified through fingerprint, eye, or facial scanning. Biometric platforms can be implemented to completely replace an existing authentication solution or can be used as part of a multi-factor system. Again, this often requires the deployment of specialized hardware and is not feasible on distributed systems such as the World Wide Web. Biometrics may be a viable solution for smart phone-based authentication and other platforms that have cameras or other hardware built-in, but it is not considered generalized enough for wider usage. Several recent proposals from the security research community claim to provide greater security while still maintaining the usability and convenience of standard passwords. These proposals include graphical or image-based passwords that are easy for users to remember, but difficult for automated systems to attempt to crack. However, this will require a shift in existing development practices and wider adoption before they begin to replace the existing text-based password. Also, while these systems may be a viable option for some software or websites, older, non-graphical platforms would not be able to make use of these concepts.
With all the known security issues and possible alternatives, why then are systems still being build using standard text-based passwords? First, of these many alternatives, there is not a single system that supports all possible authentication uses. Passwords are being used to protect a vast spectrum of technologies from financial systems, social networks, mobile phones, desktop computers, and cash machines. They are used by both online and offline systems. Any proposed alternative would need to satisfy all of these diverse requirements. Another major issue is that of user reluctance to change. Password authentication has been around since the beginning of wide-spread computer
use, so consumers understand the paradigm and do not require any additional training to be able to use these systems. Any alternative system would need to be extremely easy to use and intuitive for the end user or they may choose to use another service provider who still offers the “traditional” password-based system. Finally, there is no single governing body that can force this change. Companies are not permitted to enforce certain types of end-user security or hardware in order to use their service. There are no governmental rules or regulations that stipulate how a company secures its systems. Of course, the costs of redeveloping software can be quite expensive as well. For any alternative system to work, it must be voluntarily adopted by both the organization and the consumer. Until these issues are addressed and the current de facto standard is replaced, password security will remain an on-going concern.